Both sides previous revision
Previous revision
Next revision
|
Previous revision
Last revision
Both sides next revision
|
userdoc:tt_dnscrypt_proxy [2018/04/07 16:16] abelbeck [DNSCrypt Proxy server list] |
userdoc:tt_dnscrypt_proxy [2023/10/29 10:21] abelbeck [DNSCrypt Proxy server list] |
====== DNSCrypt Proxy Server ====== | ====== DNSCrypt Proxy Server ====== |
| |
| !!DNSCrypt is deprecated in favor of DNS-TLS!!\\ |
| Go to: **[[userdoc:tt_dns_tls_proxy|DNS-TLS Proxy Server]]** |
| |
AstLinux now supports the [[https://github.com/dyne/dnscrypt-proxy/blob/master/README.markdown|DNSCrypt]] (dnscrypt-proxy) package, a tool for securing communications between a client and a DNS resolver. | AstLinux now supports the [[https://github.com/dyne/dnscrypt-proxy/blob/master/README.markdown|DNSCrypt]] (dnscrypt-proxy) package, a tool for securing communications between a client and a DNS resolver. |
!!Note: AstLinux 1.3.3 or later is required for Import sdns: Stamp support!! | !!Note: AstLinux 1.3.3 or later is required for Import sdns: Stamp support!! |
| |
==== DNSCrypt Proxy Configuration ==== | ===== DNSCrypt Proxy Configuration ===== |
| |
Configuring DNSCrypt is as simple as it gets. | Configuring DNSCrypt is as simple as it gets. |
using the OpenDNS defaults for the remaining fields. | using the OpenDNS defaults for the remaining fields. |
| |
==== DNSCrypt Proxy server list ==== | ===== DNSCrypt Proxy server list ===== |
| |
Alternatively, there is a growing number of DNSCrypt providers around the world, some of which may be closer to you. | Alternatively, there is a growing number of DNSCrypt providers around the world, some of which may be closer to you. |
| |
New, current list, using ''sdns:'' stamps\\ | Quad9 current list, using ''sdns:'' stamps\\ |
| [[https://quad9.net/dnscrypt/quad9-resolvers.md|Quad9 DNS resolvers supporting DNSCrypt]] |
| |
| Public, current list, using ''sdns:'' stamps\\ |
[[https://download.dnscrypt.info/dnscrypt-resolvers/v2/public-resolvers.md|Public DNS resolvers supporting DNSCrypt]] | [[https://download.dnscrypt.info/dnscrypt-resolvers/v2/public-resolvers.md|Public DNS resolvers supporting DNSCrypt]] |
| |
Using !!AstLinux 1.3.3 or later!! your can directly import an ''sdns:'' stamp to automatically fill in the three fields. | Using !!AstLinux 1.3.3 or later!! your can directly import an ''sdns:'' stamp to automatically fill in the three fields. |
| |
Old, legacy List\\ | Optionally define the three Server/Provider fields using the table columns titled **Resolver address**, **Provider name** and **Provider public key** (=> scroll to the right edge). |
[[https://github.com/dyne/dnscrypt-proxy/blob/master/dnscrypt-resolvers.csv|Public DNS resolvers supporting DNSCrypt]] | |
| |
and optionally define the three Server/Provider fields using the table columns titled **Resolver address**, **Provider name** and **Provider public key** (=> scroll to the right edge). | |
| |
For example the OpenDNS values automatically used are: | For example the OpenDNS values automatically used are: |
| |
!!Tip ->!! Some of you //(you know who you are)// may even want to be your own DNSCrypt provider. [[https://github.com/Cofyc/dnscrypt-wrapper/|DNSCrypt-Wrapper]] is a server-side DNSCrypt proxy that works with any name resolver. | !!Tip ->!! Some of you //(you know who you are)// may even want to be your own DNSCrypt provider. [[https://github.com/Cofyc/dnscrypt-wrapper/|DNSCrypt-Wrapper]] is a server-side DNSCrypt proxy that works with any name resolver. |
==== Display DNSCrypt Status ==== | |
| ===== Display DNSCrypt Status ===== |
| |
A quick glance of the Status tab's **DNS** entry will show if DNSCrypt is enabled. | A quick glance of the Status tab's **DNS** entry will show if DNSCrypt is enabled. |
or | or |
dig debug.opendns.com txt +short | dig debug.opendns.com txt +short |
==== Restricting DNS ==== | |
| ===== Restricting DNS ===== |
| |
By default, no changes to the Firewall settings are necessary for DNSCrypt to function. | By default, no changes to the Firewall settings are necessary for DNSCrypt to function. |
The ''SRC='' entry will identify which LAN device is misconfigured. | The ''SRC='' entry will identify which LAN device is misconfigured. |
| |
==== Possible Startup Issues ==== | ===== Possible Startup Issues ===== |
| |
In order to validate the DNSCrypt provider's certificate, the DNSCrypt client's system must have it's clock set to a reasonable time. Fortunately most AstLinux boards have a real time clock with battery backup so this is not a common problem, but if your board's CMOS battery is dead or such, and the system time is not reasonable at startup, this can be a problem when enabling DNSCrypt. Regardless, one of the first things AstLinux does at startup is to accurately set the system clock using the NTP protocol. If the specified NTP server is a numeric IP address or a locally resolved DNS name (via local ''/etc/hosts''), no problem. But, if the specified NTP server was, say "us.pool.ntp.org", we have the classic chicken-egg problem. | In order to validate the DNSCrypt provider's certificate, the DNSCrypt client's system must have it's clock set to a reasonable time. Fortunately most AstLinux boards have a real time clock with battery backup so this is not a common problem, but if your board's CMOS battery is dead or such, and the system time is not reasonable at startup, this can be a problem when enabling DNSCrypt. Regardless, one of the first things AstLinux does at startup is to accurately set the system clock using the NTP protocol. If the specified NTP server is a numeric IP address or a locally resolved DNS name (via local ''/etc/hosts''), no problem. But, if the specified NTP server was, say "us.pool.ntp.org", we have the classic chicken-egg problem. |